Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 13:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7adb54744c3b889cd3d4c124841d53e0N.exe
Resource
win7-20240708-en
windows7-x64
3 signatures
120 seconds
Behavioral task
behavioral2
Sample
7adb54744c3b889cd3d4c124841d53e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
120 seconds
General
-
Target
7adb54744c3b889cd3d4c124841d53e0N.exe
-
Size
89KB
-
MD5
7adb54744c3b889cd3d4c124841d53e0
-
SHA1
fd8290e1b4efb15c8e5b010d216034d9e6c1fa14
-
SHA256
65fd668c7fa264e5eaacfda3d8e6a997210420027c105c3a2418c111aa73a155
-
SHA512
5e1b2949c1cab29f07e2a9d8d5726432b7bf3a96bed776a54032e9a2c709e5185736108adcad2036f74a1b239f5bb54e7e8cb20e427ba982fc7124e01fede060
-
SSDEEP
1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhT:6pWpUFpEhLfyBtPf50FWkFpPDze/qFse
Score
9/10
Malware Config
Signatures
-
Renames multiple (4359) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\README.txt.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Common Files\System\ado\msador28.tlb.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\7-Zip\Lang\ca.txt.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Internet Explorer\hmmapi.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\7-Zip\Lang\ky.txt.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp 7adb54744c3b889cd3d4c124841d53e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7adb54744c3b889cd3d4c124841d53e0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7adb54744c3b889cd3d4c124841d53e0N.exe"C:\Users\Admin\AppData\Local\Temp\7adb54744c3b889cd3d4c124841d53e0N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1432,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:81⤵PID:2328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5933f01356a53a8df9c8dfb3655f0add7
SHA1f39a7ce16ccb916d9d751da0e14bd98300eaf306
SHA25660296df52e5852f08a58266a3641211030b66adaf65c200dcd000e514ed1335b
SHA5120d284445c6a5439eb36d90a2756b6b374448ed424385240cdf87c2e6ead5224f0dab517fd892541cdabcc5a9e1b2d936b2f782eb704e5ec2091e350555565742
-
Filesize
202KB
MD5ed7f6bac5026e7b7c546bd49c7c8a67b
SHA1e8444bdb239b7d9fea9a4101980cb2f3793156a4
SHA2569db3a9f5c584cecf8b2223ff2cca7f6626beb51b22fb4555ccf216b48717c257
SHA512276f490e623d37c47cebd5e0c862f6a990abbb164c02c5c83051b4a9cb5f564cdbc333298a4e79cc2cbe422d2d6d47c78b4c9968b25063bb3450ec3e20172ab1